VPS и выделенные серверы (Центр управления хостингом) Справка

Другие номера

What risks are associated with recursive DNS queries?

There are two types of DNS queries: iterative and recursive.

Note: We do not allow recursive DNS to run on dedicated or Virtual Private Servers (VPS) unless it runs locally and for a specific IP range. If we find your server running an improper configuration of recursive DNS, we will exercise our right to suspend your account. The account will remain suspended until arrangements are made to turn off recursive DNS.

Iterative

Iterative DNS queries are ones in which a DNS server is queried and returns an answer without querying other DNS servers, even if it cannot provide a definitive answer. Iterative queries are also called non-recursive queries.

Recursive

Recursive DNS queries occur when a DNS client requests information from a DNS server that is set to query subsequent DNS servers until a definitive answer is returned to the client. The queries made to subsequent DNS servers from the first DNS server are iterative queries.

Recursive DNS query risks

A DNS server that supports recursive resolution is vulnerable to DOS (denial of service) attacks, DNS cache poisoning, unauthorized use of resources, and root name server performance degradation.

DOS attacks

Servers supporting recursive DNS queries are vulnerable to phony requests that flood a particular IP address with the results of each server's query. This can overwhelm the IP address with a volume of traffic too large to be processed.

DNS cache poisoning

Cache poisoning results from someone tricking a DNS server into believing that a fake DNS query response is authentic. Because responses are normally cached, this false information can be distributed to users of that server.

Unauthorized use of resources

With recursive DNS queries enabled, a server is more easily hijacked and its performance compromised.

Root name server performance degradation

When DNS servers are not configured correctly, queries using RFC1918 addressing (also known as "private" addressing) may be leaked to the root name servers, causing a degradation in service for legitimate queries to those servers.

Disabling recursive DNS

You can test to see if Recursive DNS is configured on your server:

Using cmd line on your local computer enter: nslookup google.com 'your server IP'

If you get an error "Query Refused"; Recursive DNS is not enabled. If you get a 'Time Out' please try again, if you get DNS results Recursive DNS is enabled.